NETWORK sECURITY
Download
Report
Transcript NETWORK sECURITY
The Impact of Computer and Network Security in
Corporations Today:
Understanding the Impact and Solutions of Computer
and Network Security in Today’s World
by
Steve Mallard
In today’s world of the internet and
ecommerce, many companies lack the expertise
and training to secure their critical network
infrastructure and data. Because of this fallacy,
many companies’ infrastructures are subject to
being compromised.
With extortion, cyber theft, malicious attacks
and internal theft occurring at an
unprecedented pace, many companies are just
becoming aware of the aforesaid problems.
While a few companies and corporations
awaken to a new world of problems, many
continue to sleep, totally oblivious to what is
happening as they go about their daily work.
This research gives terminology and briefs
from the Information Technology industry.
Until now, computer security and locking down
the network infrastructure has been on the back
burner with most companies and corporations
because of cost. According to a corporate poll in A
nationally recognized information technology magazine,
99% of U.S. companies now use some type of
preventive antivirus technology with 98% of these
companies now using firewalls. This electronic
security poll was based on compiled information
from larger corporations and their practices and
does not include small to midsize companies
found throughout the United States.
Cost of an electronic exploit can be greater than
a million dollars per incident as reported by the
FBI. This information is found in the FBI’s
(Federal Bureau of Investigation) report of
cyber threats in the United States. In order to
help counterbalance this, smaller to midsized
companies could spend less than $5,000 to
harden their systems and operating systems to
put a statefull firewall in place. As stated in
this paper, these companies often lack the
resources, materials and funds to do so
. A look at the example companies and how they used
modern methods for “locking down” their networks and
clientele data will be discussed. The following steps have
been used to gather the analysis for this paper:
Collected data to support the weakness and underlying
causes of security collapse.
Used professional experience from the researcher’s
company to look at analyzing and confirming research
materials.
Consulted with Allen Corporation, Neill Corporation and
Taylor Corporation to gather information relevant to the
discussion on security in modern infrastructures.
Analyzed and collected data based on the scope outlined in
these sections.
Made the final analysis.
1960 Students become the first hackers
1970 Phone Phreaking and Captain Crunch
1980 Hacker Boards on BBS (early ways to chat)
1983 Kids Begin Hacking
Note: Los Alamos National Laboratory, which helps develop
nuclear weapons was hacked this year.
1984 Hacker Magazines
1986 Computer Fraud and Abuse Act
1986 Boot sector viruses
1987 File infecting viruses
1988 Fist Antivirus solution – Encrypted viruses
1988 Unix Worm
1989 Cyber Espionage with Germans and KGB
1989 Credit Card Theft Goes Mainstream
1989 Date oriented viruses
1990 Stealth, Polymorphic, Multipartite and armored viruses
1991 Stealth, Polymorphic and Multipartite
1992 Code change viruses
1993 Viruses that attacked viruses
1993 Hacking used to cheat phone system to win contest
1994 Hacking Tools Become Available
1994 Encoded Viruses
1995 Kevin Mitnick Hacks the Government
1995 First Macro Viruses
1996 Macro viruses affecting Microsoft Excel
1997 AOL (largest) ISP Hacked
1998 The Cult of Hacking Takes Off
1998 Spyware/malware begins to download to machines globally
1999 Macro viruses affecting Microsoft Word
1999 Software Security (Windows begins providing updates
2000 Service Denied
2000 Worm viruses
2001 DNS Attack
General Internal Company Security and
Auditing Controls are being applied today so
that companies can have a standard approach
to bring together different opinions and ideas.
These Internal Controls are generally brought
together by a consortium of management and
other personnel to achieve objectives by the
company. Internal Controls allows companies
to maintain several of the following areas:
Efficiency of operations.
Compliance with laws and regulations.
Several documents have also been released to
suggest ideas about Internal Company Security
and Auditing Controls:
Company controls should be built into operations
currently in place.
All departments and personnel within a company
have input to Company Controls.
Company and Internal Controls help to govern
companies currently operating.
Risk Assessment
The identification of key weaknesses in computer systems, nodes on a network, clients,
connectivity and training.
Security Control Activities
Policies and Procedures that ensure all levels of the company are within compliance with
standards set by the company.
Activities include hierarchal structure, authorization, implementation, disaster recovery
and planning.
Information and Communication
Information from vendors is archived.
Information from customers (clients) is logged.
Communication along internal paths of the company to insure all areas of protection are
available.
Monitoring/Auditing
Assessment of hardware firewall.
Assessment of Software Patches and Service Packs.
Management of all personnel.
Auditing of logs and change orders.
Monitoring of performance of all nodes on the network.
Monitoring of security alert sites of government and for profit sites.
The research paper at this point has focused on the
importance and makeup of generalized Internal
Company Security and Auditing Controls.
Weaknesses in this structure follow:
Communication
Poor or lack of judgment
Lack of training
Lack of concern
Disgruntled employees
Lack of review
Lack of training
It is up to management at all levels to monitor
company security and auditing controls.
Larger companies have a distinct advantage over smaller companies because of the
minimal work required to keep their network infrastructure secure. A small list of
duties below is required to keep data protected:
Periodic changes of passwords
Updating of policy and procedures
Auditing server logs
Auditing firewall logs
Researching new malicious threats at third party information sites
Physical security
Applying patches
Applying service packs
User management
Monitoring spyware/malware
Monitoring new installs
Monitoring performance
Monitoring IDS systems
Monitoring anti-virus protection
Password policies are often overlooked after
the inception of the computer network.
Network administrators can use the group
policy editor in workstations or rules in active
directory to set password rules. Minimal,
complex and history settings can greatly
increase Computer and Network Security.
Companies should look at the update of policy
and procedures in order to keep up with changes
across its infrastructure. These regulations help to
guide all levels of information technology
professionals. The consistent and concise update is
critical to security in a network infrastructure.
The auditing of logs at all levels is critical and
cannot be stressed enough. These logs provide
accurate details on the access and changes
requested and made during a session. All of the
companies mentioned in this study review logs on
a frequent basis. This becomes one of the single
most important processes in looking for patterns
and breeches of security.
The outline below is provided to illustrate
and show how Computer and Network
Security has been implemented as a plan to a
higher education facility. This basic outline
targets the infrastructure of companies
through which the bases of protecting
internal assets are most critical. It shows the
effectiveness of the school’s control, auditing
and implementation.
Periodic control of Operating System Patches
Virtual Private networking to Domain Servers with Student Information Systems
Software from staff workstations
Periodic control of Operating System Service Packs
Anti-virus software installed on each workstation to include student
work stations
Spyware/malware / Malware control measures
“Pop up” control measures
Application updates (i.e., Microsoft Office and related)
Software Update Services Server installed to push updates approved by administration
Documented Policy and Procedures school level
Documented Policy and Procedures board level
Active Directory Server login for staff to establish IT Policies
Applications with logging of activities (customized)
Application and Security Logs running on Servers
Network Address Translation used at firewall level
DMZ (demilitarized zones) used on web server
Hardware firewall (three honed) used with logs and specific port number restrictions.
IDS (Instruction Detection Server) in place and monitored
Traffic monitor in place to monitor inbound, outbound and intranetworking packets
Disaster recover plan in place
Control of patches and updates becomes one of the
most important
aspects of Computer and Network Security. With
operating systems flaws being one of the most critical
needs to identify when operating a network, control
of pushing service packs or updates to computers
becomes extremely important. Companies should
have this in their plans and someone in the
information technology department should be
assigned to check SUS (System Update Services)
servers daily. This IT person should also check
security and operating system websites for alerts.
Often these sites have email alerts to alert end-users
of a security problem.
Virtual Private Networks or VPNs should be
created between workstations and servers that
contain critical data. By using PPTP (Point to
Point Tunneling Protocol), this ensures the data
is encapsulated as it travels across the internal
network. While packet capturing software can
be installed on a network, this will help to
encrypt the data and prevent loss due to
network sniffing.
Antivirus software must be installed on every
workstation and the software should be updated
daily. This control of updating can come through
push services through a server to insure the virus
pattern or signature is up to date.
Spyware/malware control is becoming an issue
at all companies. Spyware/malware is software
download automatically be some websites to
track a user’s internet surfing habits or to track
software use on the end user’s computer. Often
computers become burden by spyware/malware
loaded in the operating system and become
nonfunctional or extremely slow.
Policy and Procedures
Risk Assessment
Inventory of software and hardware. Inventory allows for control of
products and control of sensitive information.
Needs Assessment
Value of product and client data, cost of breach. This assessment can give
the company an idea of the risk of a breach.
Inventory
Committees and Subcommittees used to monitor changes, constant
updates and reviews by all members of the information technology team.
Users and applications “Need to Know Basis Only”. This form of
assessment allows for securing data at different levels based on rank or a
hierarchal structure in the company.
Structure
Physical security and ideal topologies to meet performance needs and
environmental controls.
Levels of Protection
Workstation
Antivirus software, operating systems updates and patches,
application updates, VPN to servers, strong password
protection
Private Servers
Antivirus software, operating systems updates and patches,
application updates, VPN from workstations, Kerberos
security, tokens and certificates, strong password protection
SNMP nodes
Password Protected SNMP manageable devices
Wireless Access Points
Wireless Encryption Protocols (128 bit minimum) (WPA
Preferred with a RADIUS Server
MAC filtering
Firewalls
Acceptable ports and sites
IDS Systems
Backend for internal and external NIC cards used to monitor
all traffic within the organization
Network Address Translation Needs
Public to Private ips for internal networks with few public ip
addresses
Public Servers
Located in DMZ areas all patches updates and only
necessary ports open
Training programs
New software
New hardware
The overall strategy for the initial phase of protection
involves the publishing of Policy and Procedures. The
publication of Policy and Procedures includes the
hierarchal structure of the information technology
department and all tasks associated with it. The
following approach is used to monitor the updating of
the Policy and procedures:
Document changes to existing Policy and Procedures.
Identify weaknesses
Test disaster recover portion of Policy and Procedures
Test auditing procedures
Rewrite when significant amount of changes takes
place
On going training
Training is in place from the lowest level of help desk to the
Information Technology manager and CIO. Training updates are
given to all employees outside of the IT department so that
security can be maintained throughout the company. These
companies use the following training methods:
Memos to all staff on new viruses
Memos to IT Personnel on new viruses
Memos to IT Personnel on opportunities to train at seminars
Seminars (Mandatory)
Seminars (Voluntary)
Webcasts/Podcasts
In house training by security personnel
In house training by outside resources
College reimbursement
New product training
Policy and procedure review
Proper use of the internet
Proper use of email and best practices
Employ certified and experienced personnel
All are focused on standards set by CERT.ORG
and other security industry leaders
Strong Policy and Procedures in place
Communications among internal company and
internal information systems.
Committees and Sub-committees in place for
compliance issues
The problem statement components of “when security is
needed, and how to implement it” are answered as follows:
Industry wide compliance of recommendations by industry
leading experts.
Restating the key elements from previous chapters include:
Employ trustworthy Information Technology workforce to
protect assets from within the companies as though assets were
their own.
Focus on industry statistics and separate fact from fiction for the
best protection of the security infrastructure.
Utilize all means of security including beta based security tools,
physical tools and update policys and procedures as necessary.
Document all deficiencies and follow thorough with any and all
short comings to insure the best and most adequate protection
from thieves, whether internal or external
Ongoing communications between all levels of employees
from help desk to the CIO (Chief Information Officer).
CIOs cannot lose touch with reality of the “real” world of
security.
A quality control program should be put into place to
maintain site wide integrity.
Policy and procedures must be reviewed.
Internet usage policies should exist and all employees should
review and sign acceptance letters.
Email usage policies should exist and all employees should
review and sign acceptance letters.
Systems must be tested in order to ensure quality.
Ongoing training must be put into place for IT professionals
and accurate records must be maintained in order to verify
training and training needs.
The recommendations from this study are as follows:
Companies should do extensive background checks on their
Information Technology employees. Checks should include
financial, criminal and past employment checks.
Companies should put Policy and Procedures into place to make
sure that all aspects of disaster recovery and planning are covered
including hardware failure, software failure, network setup,
personnel hierarchy, team responsibilities, deployment of all
software and appropriate licensing and other mission critical
objectives.
Companies should have a consistent audit practice in place for
server logs, firewall logs, patches, service packs and updates.
The network infrastructure for companies needs a consistent
quarterly overview committee to look at security needs and
challenges. This would provide quarterly updates of mission
statements and policies as needed.
Companies need training programs in place for Junior as
well as Senior level analysts to understand the challenging
environment of security. These training programs need to
include industry leaders and seminars from software
vendors.
Companies need consistent and open forums within their
infrastructure for communication of daily changes affecting
the security environment.
The hierarchal level of the internal department of
Information Systems/Technology needs to be dynamically
flexible to meet the needs and challenges facing the ever
changing world of information technology security in the
workplace.
Small Ecommerce servers should “dump” data to a printer
and be reentered as a precautionary measure in case of a
breach on an internal file server.
“Companies
must provide
high level training to meet the
needs of industry growth
while maintaining a balanced
budget and customer
security”.